1. Field of the Invention
The invention relates to security in computers and more particularly to a method for protecting executable software programs against infection by computer software virus programs.
2. Description of the Related Art
Computer software virus programs on personal computers and/or servers (especially those received through the Internet) are becoming more and more common and increasingly more dangerous. Virus programs are adapted to corrupt other executable computer software programs, such as by replicating themselves over an existing program or by adding code to the beginning or end of the program. Since their appearance, the number, performance, and intelligence of virus programs have greatly increased. The persons who write computer viruses continue to find means for making their viruses increasingly transparent and difficult to detect by a computer user.
However, the methods used by various virus programs for infecting computer programs are substantially similar. Most computer viruses replicate themselves by infecting executable programs. Executable programs typically comprise a series of instructions that are executed by a central processing unit (CPU) of a computer containing the program, when the program is invoked. The objective of computer viruses is to obtain control of a desired executable program before normal processing of the program begins. Therefore, the virus program must have its instructions executed by the CPU, before the CPU begins processing the instructions of the executable program.
Since the virus often writes its code into the program at several different locations, restoring the program is a time consuming process. Further, as the virus code is in the program at different locations, it is substantially difficult to be absolutely sure that the virus code is completely removed from the program when the program is restored, without damaging the program itself.
There are systems in the prior art for protecting executable programs from infections by virus programs. One such system performs a lockdown of the computer by inventorying all the files on the machine. In such a system, an information technology professional initiates lockdown in response to an identified network or computer threat. The lockdown process creates a list of executable program files which are deemed as trusted. A signature is then created for the trusted executable program files. The trusted signature for an executable program file is compared to a newly created signature for that same program each time the program is executed. If the newly created signature does not match the trusted signature, the information technology professional is notified. Operation of the prior art lockdown system is time consuming when collecting the trusted file information and creating signatures for the trusted files. The inefficiency in performing a lockdown is further exacerbated when the lockdown computer is a larger or shared server or computer.
It is desirable to not only efficiently monitor and protect computers from malicious executable program files but to also efficiently monitor the executable program file's behavior. These behaviors may include executions, registry access, and network access.